Ever noticed how many of the most useful books are really short? Kernighan and Ritchie on C Programming and Kent Beck on Extreme Programming come to mind, well now we have a short, to the point, and similarly useful book on identity Phil Windley's book, "Digital Identity". Increased integration, security concerns, distributed computing, SOA and Web Services, privacy issues, crimeware/malware, and compliance all conspire to make identity a mission critical element in software architecture. Many of the key concerns get conflated and confused amidst the buzzwords and arcane terminology used by the identerati. What is needed is conceptual clarity about the key elements in identity management architecture, and how they relate to each other as well as the software platform and its users.
Phil Windley's book, "Digital Identity" delivers the needed clarity, breaking down identity management architecture into Process Architecture ("how your business accomplishes identity related tasks and how they should be accomplished in the future."), Data Architecture ("The data architecture is a model of the identity data in your organization"), and Technical Reference Architecture ("how the IMA communicates implementation guidance to system architects"). None of these architectural elements are a vendor-specific solution, so architecture is required to design the correct approach for your organization. Windley describes two important parts of an IMA - Policies ("crucial in creating identity infrastructures that work for the simple reason that it's impossible to create technical solutions to every problem.") and Interoperability Framework ("list of standards that your organization has chosen to support and use."). The supporting website contains useful policy templates for a wide variety of identity policy domains.
The early chapters deal with setting a consistent terminology for identity data and processes. Chapter 5 defines an identity lifecycle including two helpful in the trenches observations 1) that identity maintenance is one of the most costly areas and 2) deprovisioning is just as important as the notion of provisioning. Chapter 6 talks about cryptosystems, message digests, hashing, and related infrastructure (such as PKI) the part I found most useful is that Windley shows what solutions deliver particular properties such as confidentiality, integrity, and non-repudiation.
Refreshing discussion in Chapter 8 on Access Control and Principle of least privilege in the real world. Many security policies blithely state (and restate) the principle of least privilege, but in reality when it is assumed but in place this creates an issue. This chapter also has a good RBAC discussion. Chapter 9 draws important distinctions between directory services and relational databases, and gives prescriptive guidance on where each is appropriate. Chapter 9 also introduces the notion of metadirectories and virtual directories. Again, these concepts are mapped directly by Windley to the specific issues they solve, making the book a very handy design partner for identity management architects.
Chapter 11 correlates standards to the identity lifecycle. SPML is geared towards provisioning, propagating, and deprovisioning; SAML is geared towards using identity; and XACML is geared towards maintaing identity (I am not sure why XACML is not included in using identity though). The power and challenges of SAML and XACML are well defined, some additional examples would be helpful. For traditional information security people who need to understand how these important XML-based technologies work in decentralized SOA and Web Services systems, this chapter will be very helpful.
Chapter 12 on federating identity is my favorite. "Mirage of centralized efficiency...Centralized digital identity systems do not scale. Identity relationships are inherently web-like in structure while centralized technologies like directories are hierarchical." Windley also points out lack of privacy support in SAML (which is why Dick Hardt calls federation Identity 1.5). The latter chapters show example identity data architectures, technical reference architecture, and other elements. In sum, this book is extremely useful at the conceptual level for identity architects to think/plan/act strategically and real world in the trenches advice on how to execute tactically.
Comments